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Abstract — Parametric analysis is a powerful tool for designing 
modern embedded systems, because it permits to explore the 
space of design parameters, and to check the robustness of the 
system with respect to variations of some uncontrollable variable. 
In this paper, we address the problem of parametric schedulabil- 
ity analysis of distributed real-time systems scheduled by fixed 
priority. In particular, we propose two different approaches to 
parametric analysis: the first one is a novel technique based on 
classical schedulability analysis, whereas the second approach is 
based on model checking of Parametric Timed Automata (PTA). 

The proposed analytic method extends existing sensitivity 
analysis for single processors to the case of a distributed system, 
supporting preemptive and non-preemptive scheduling, jitters 
and unconstrained deadlines. Parametric Timed Automata are 
used to model all possible behaviours of a distributed system, and 
therefore it is a necessary and sufficient analysis. Both techniques 
have been implemented in two software tools, and they have 
been compared with classical holistic analysis on two meaningful 
test cases. The results show that the analytic method provides 
results similar to classical holistic analysis in a very efficient way, 
whereas the PTA approach is slower but covers the entire space 
of solutions. 

I. Introduction and motivation 

Designing and analysing a distributed real-time system is a 
very challenging task. The main source of complexity arises 
from the large number of parameters to consider: task priority, 
computation times and deadlines, synchronisation, precedence 
and communication constraints, etc. Finding the "optimal" 
values for the parameters is not easy, and often the robustness 
of the solution strongly depends on the exact values: a small 
change in one parameter may completely change the behaviour 
of the system and even compromise the correctness. For these 
reasons, designers are looking for analysis methodologies that 
enable incremental design and exploration of the space of 
parameters. 

Task computation times are particularly important param- 
eters. In modem processor architectures, it is very difficult 
to precisely compute worst-case computation times of tasks, 
and estimations derived by previous executions are often used 
in the analysis. However, estimations may turn out to be 
optimistic, hence an error in the estimation of a worst-case 



execution time may compromise the schedulability of the 
system. 

The goal of this research is to characterise the space of 
the parameters of a real-time system for which the system 
is schedulable, i.e. all tasks meet their deadlines. Parametric 
analyses for real-time systems have been proposed in the past, 
especially on single processors |fl], 0, 0, 0. 

In this paper, we investigate the problem of doing parametric 
analysis of real-time distributed systems scheduled by fixed 
priority. We consider an application modelled by a set of 
pipelines of tasks (also called transactions in 0), where each 
pipeline is a sequence of tasks that can be periodic or sporadic, 
and all tasks in a pipeline must complete before an end-to-end 
deadline. We consider that all nodes in the distributed system 
are connected by one or more CAN bus 0. 

We propose: 

• a new method for doing paramettic analysis of distributed 
real-time systems scheduled by fixed priority scheduling. 
The method extends the sensitivity analysis proposed by 
Bini et al. 0, by considering distributed systems and 
non-preemptive scheduling. 

• a model of a distributed real-time system using parametric 
timed Automata, and a model checking methodology 
using the Inverse Method 0, 0, 0; 

• comparison of these two approaches with classical holis- 
tic analysis using the MAST tool |9|, iflOll . in terms of 
complexity and precision of the analysis. 

II. Related Work 

There has been a lot of research work on parametric 
schedulability analysis, especially on single processor systems. 
Bini and Buttazzo [11 J proposed an analysis of fixed priority 
single processor systems based on Lehoczky test lfl2l . Later, 
Bini, Di Natale and Buttazzo proposed a more complex 
analysis, which considers also the task periods as parameters. 
Such results are summarised and extended in Bini's PhD thesis 

m. 

Parameter sensitivity can be also be carried out by repeat- 
edly applying classical schedulability tests, like the holistic 



analysis |fl3l , |5l . One example of this approach is used in 
the MAST tool [9|, [10], in which it is possible to compute 
the slack (i.e. the percentage of variation) with respect to one 
parameter for single processor and for distributed systems by 
applying binary search in that parameter space ifPJl . 

A similar approach is followed by the SymTA/S tool lfl4l . 
which is based on the event-stream model [15 |. Another inter- 
esting approach is the Modular Performance Analysis (MPA) 
|16| which is based on Real-Time Calculus |fl7l . In both 
cases, the analysis is compositional, therefore less complex 
than the holistic analysis; nevertheless, these approaches are 
not fully parametric, in the sense that it is necessary to repeat 
the analysis for every combination of parameters values in 
order to obtain the schedulability region. 

Model checking on Parametric Timed Automata (PTA) can 
be used for parametric schedulability analysis, as proposed by 
Cimatti, Palopoli and Ramadian [3|. In particular, thanks to 
generality of the PTA modelling language, it is possible to 
model a larger class of constraints, and perform parametric 
analysis on many different variables, for example task offsets. 
Their approach has been recently extended to distributed real- 
time systems lfl8l . 

Also based on PTA is the approach proposed by Andre et 
al. 0). Their work is based on the Inverse Method [7| and 
it is very general because it permits to perform analysis on 
any system parameter. However, this generality can be paid in 
terms of complexity. 

In this paper, we first propose an extensions of the methods 
in H i for distributed real-time systems. We also propose a 
model of a distributed real-time systems in PTA, and compare 
the two approaches against classical holistic analysis. 

III. System model 

We consider distributed real-time systems consisting of 
several computational nodes, each one hosting one single 
processor, connected by one or more shared networks. We 
consider preemptive fixed priority scheduling for processors, 
as this is the most popular scheduling algorithm used in 
industry today, and non-preemptive fixed priority scheduling 
for networks. In particular, the CAN bus protocol is a very 
popular network protocol that can be analysed using non- 
preemptive fixed priority scheduling analysis [6|. We will 
consider extensions to our methodology to other scheduling 
algorithms and protocols in future works. 

For the sake of simplicity and uniformity of notation, in this 
paper we use the same terminology to denote processors and 
communication networks, and tasks and messages. Therefore, 
without loss of generality, from now on we will use the term 
task to denote both tasks and messages, and the term processor 
to denote both processors and networks 

A distributed real-time system consists of a set of task 
pipelines {V 1 , . . . ,V n } to be executed on a set of m pro- 
cessors {pi,p2, ■ ■ ■ ,j) m }. In order to simplify the notation, in 
the following we sometime drop the pipeline index when there 
is no possibility of misinterpretation. 



A pipeline is a chain of tasks V = {ti, . . . , t„}, and each 
task is allocated on one possibly different processor. A pipeline 
is assigned two fixed parameters: T is the pipeline period, 
and D e 2e is the end-to-end deadline. This means that the first 
task of the pipeline is activated every T units of time, and 
every activation is an instance (or job) of the task. We denote 
the fc-th instance of task Tj as r^fc. Every successive task in 
the pipeline is activated when the corresponding instance of 
the previous task has completed; finally, the last task must 
complete before D e 2 e units of time from the activation of the 
first task. Therefore, tasks must be executed in a sequence: job 
Ti fc cannot start executing before job Ti_i fc has completed. 

A task can be a piece of code to be executed on a CPU, or 
a message to be sent on a network. More precisely, a real-time 
periodic task r, = (Ci,Ti, D i: Di,iTi, Ji) is modelled by the 
following fixed parameters: 

• Ti is the task period. All tasks in the same pipeline have 
period equal to the pipeline period T; 

• TTi is the task priority; the higher 7Tj, the larger the priority; 

• Di is the task^keii deadline; all jobs of Ti must complete 
within Di from their activation. 

Also, a task has the following free parameters: 

• Ci is the worst-case computation time (or worst-case 
transmission time, in case it models a message). In this 
paper we want to characterise the schedulability of the 
system in the space of the computation times, so Ci is a 
free parameter. 

• Di is a variable denoting an upper bound on the task 
worst-case completion time. We will call this variable 
actual task deadline or simply task deadline. Of course, 
we require that Di < D{. Remember that fixed priority 
does not use the task deadline for scheduling, but just 
for schedulability analysis. As we will see later, we will 
use this variable for imposing precedence constraints on 
pipelines. We say that a task has constrained deadline 
when Di < Ti, and unconstrained deadline when Di > 
Ti. 

• Ji is the task start time jitter (see below). 

As anticipated, a task consists of an infinite number of jobs 
Ti.fe,fc = 1,.... Each job is activated at time a. L ,k = kTi, 
can start executing (or can be sent on the network) no earlier 
than time Si,k, with a^fc < Si^k < a-i,k + Ji, executes (or is 
transmitted over the network) for Cj j. < C{ units of time, 
and completes (or is received) at fi k- For the task to be 
schedulable, it must be Vk, fi^k < di.fc = di,k + Di- A 
sporadic task has the same parameters as a periodic task, 
but parameter Ti denotes the minimum inter-arrival time 
between two consecutive instances. We also define the i-th 
level hyperperiod as Hi — lcm(7i, . . . , Ti). 

In this paper, we use the following convention. All tasks 
belonging to a pipeline V = {t\, . . . , t„} are activated at the 
same time a^k = a-i.k- However, only the first task can start 
executing immediately: sx,fc = o-i.k- The following tasks can 
only start executing when the previous task has completed: 
Vi = 2, . . . , n Si.k = /i-i.fc- The task jitter is the worst case 



start time of a task: J; > xn.ax.k{si,k — a^fe}. 

A scheduling algorithm is /«Wy preemptive if the execution 
of a lower priority job can be suspended at any instant by 
the arrival of a higher priority job, which is then executed in 
its place. A scheduling algorithm is non-preemptive if a lower 
priority job can complete its execution regardless of the arrival 
of higher priority jobs. In this paper, we consider preemptive 
fixed priority scheduling for CPUs, and non-preemptive fixed 
priority scheduling for networks. 

IV. Analytic method 

In this section we describe a novel method for parametric 
analysis of distributed system. The method is based on the 
sensitivity analysis by Bini et al. Q, |[T), and extends it to 
include jitter and deadline parameters. 

A. Single processor preemptive fixed priority scheduling 

There are many ways to test the schedulability of a set of 
real-time periodic tasks scheduled by fixed priority on a single 
processor. In the following, we will use the test proposed by 
Seto et al. [19| because it is amenable to parametric analysis 
of computation times, jitters and deadlines. 

With respect to the original formulation, we now consider 
tasks with constrained deadlines (i.e. Di can be less than or 
equal to Tj). 

Theorem 1. Consider a system of sporadic tasks {r\, . . . , t„} 
with constrained deadlines and zero jitter, executed on a single 
processor by a fixed priority scheduler. Assume all tasks are 
ordered in decreasing order of priorities, with t\ being the 
highest priority task. 

Task Ti is schedulable if and only if: 

1 C % + E;=i n 3 C 3 < A 



ijCj < n k T k Vk = 1, . . . , i - 1 



1 is the set of all possible vectors of ( 



(1) 

1) positive 



where W 
integers. 

Proof: See d and flS). ■ 
Notice that, with respect to the original formulation, we have 
separated the case of k = i from the rest of the inequalities. 

The theorem allows us to only consider sets of linear 
inequalities, because the non-linearity has been encoded in 
the variables rij. The resulting system is a set of inequali- 
ties in disjunctive and conjunctive form. Geometrically, this 
corresponds to a non-convex polyhedron in the space of the 
variables d,Di. 

How many vectors n do we have to consider? If the deadline 
Di is known, the answer is to simply consider all vectors 
corresponding to the minimal set of scheduling points by Bini 
and Buttazzo [20|. If Di is unknown, we have to consider 
many more vectors: more specifically, we must select all 
multiples of the period of any task Tj with priority higher 
than Ti, until the maximum possible value of the deadline. All 
vectors until time t can be computed as: 

f T kTh ' 

&~\t) = I n | 3k, h, kT h < t ■ Vj, nj = 



(2) 



If a task is part of a pipeline with end-to-end deadline equal to 
D e 2e, then Di < D e 2 e (keep in mind that, by now, the deadline 
is supposed to not exceed the task period). Therefore, we have 
to check all n e S i_1 (-D e 2e). 

The number of vectors (and correspondingly, the number 
of inequalities) depends on the relationship between the task 
periods. In real applications, we expect the periods to have 
"nice" relationships: for example, in many cases engineers 
choose periods that are multiples of each others. Therefore, 
we expect the set of inequalities to have manageable size for 
realistic problems. 

We have one such non-convex region for every task r^. Since 
we have to check the schedulability of all tasks on a CPU, we 
must intersect all such regions to obtain the final region of 
schedulable parameters. 

B. Unconstrained deadlines and jitters 

We now extend Seto's test to unconstrained deadlines and 
variable jitters. When considering a task with deadline greater 
than period, the worst-case response time may be found in any 
instance, not necessarily in the first one (as with the classical 
model of constrained deadline tasks). Therefore, we have to 
check the workload not only of the first job, but also of the 
following jobs of Tj. Let use define hi = i.e. the number of 
jobs of Ti contained in the i-level hyperperiod. Then, task Tj is 
schedulable if and only if the following system of inequalities 
is verified: 

V/i = 1, . . . , hi, 3n e W-^hTi + D e2e ) (3) 

i-l 

hCi + ^^rijCj < n k T k ,\/k = l,...,i-l 

3 = 1 
i-l 

hd + njCj <(h-l)Ti + Di 

3 = 1 

The correctness of the test is proved by the following 
Lemma. 

Lemma 1. Consider a system T — {r\, . . . , Tj_i, Tj}. Let 
T^> be a task set obtained from T by substituting Ti with 
t^ having computation time C} = hCi, deadline D^ = 
(h — l)Ti + Di and the same priority itf 1 ^ — i\i. 

If for every h — 1, . . . , hi, task rf 1 completes before its 
deadline, then the first hi jobs of Ti will also complete before 
their deadlines. 

Proof: By induction. Base of induction: the response time 
of job h = 1 corresponds to the response time of the first job 
of t^' (trivially true). Therefore, if 7$ is schedulable, also 
the first job of Tj is schedulable. 

Now, the induction step. Suppose the Lemma is valid for 
h = 1, . . . , k, we are now going to prove that is also valid 
for h — 1, . . . , k + 1. By assumption, the first job of t^ is 
schedulable for h = 1, . . . , fc. As a consequence of the validity 
of the Lemma, also the first k instances of r» are schedulable. 
Let /i.fc be the finishing time of the first job of r> . We have 
two cases: either /^ fc < kT t , or kTi < fi.k < (k — l)Ti + D. t . 



In the first case, job k + 1 is only subject to the interference 
of higher priority tasks. Therefore, its worst case response time 
correspond to the situation in which all higher priority tasks 
arrive at the same time kTi (critical instant), and it is therefore 
equal to the response time of the first job h = 1, hence also 
schedulable. We can conclude that the Lemma is true without 
further induction steps. 

In the second case, the k + l job has to wait for the previous 
job k to finish before it can start executing. In particular, there 
is no idle time in interval [0, Therefore, the response 

time of job k + l coincides with the response time of task 
T^ k+1 , and if the second one is schedulable, also job k + 1 is 
schedulable. 

Finally, since the first instance of rf^ is schedulable for all 
h = 1, . . . , hi, and given that C\ = hd, then from Theorem 
Q] follows that the system of Inequalities in (0) is verified. ■ 

To take into account the task jitter, we can appropriately 
adjust the last term that accounts for the task deadline, and 
the set B^it). 



Theorem 2. Task Ti is schedulable if: 
V/i = l,...,^, 3neW-\D e2e ) 

1 i 



hCi + TijCj < rikTk — J/c V/c = 1, . . . , i — 1 
hC, + njCj <(h- l)Ti + A - Ji 



(4) 



(5) 



where 



B 1 - 1 ^) = \ n\ 3k, h,kT h - D h <t: \/jn.j = 



kT h + D h 

Proof: We report here a sketch of the complete proof. 
For every higher priority interfering task Tk, the worst case 
situation is when the first instance arrives at whereas the 
following instances arrive as soon as it is possible. Therefore, 
the scheduling points must be modified from nkTk to nkTk — 
Jfe. For what concerns task r,-, the critical instant corresponds 
to the situation in which the first instance can only start at Ji, 
hence the available interval is [h — 1)T. L + D t — Ji. ■ 
Notice that the introduction of unconstrained deadline adds 
a great amount of complexity to the problem. In particu- 
lar, the number of non-convex regions to intersect is now 
C(X)"=i t 1 )' which is dominated by 0(nH n ). So, the pro- 
posed problem representation does not scale with increasing 
hyperperiods; however, as we will show in Section [VI] the 
problem is tractable when periods are harmonic or quasi- 
harmonic, as it often happens in real applications. 

C. Non preemptive scheduling 

In this paper we model the network as a non-preemptive 
fixed priority scheduled resource. In non-preemptive fixed 
priority scheduling, the worst-case response time for a task Ti 
can be found in its longest i-level active period [21]. A i-level 
active period Li is an interval [a, b) such that the amount of 



processing that needs to be performed due to jobs with priority 
higher than or equal to r, (including itself) is larger than 
Mt S (a, b), and equal to at instants a and b. The longest 
Li can be found by computing the lowest fixed point of the 
following recursive function [22]: 

L® = Bi + Ci 

• ( s -l) 



j<=i 



T, 



(6) 



where Bi — max^^C^ — 1). 

In order to find the worst-case response time of task Ti, all 
jobs n,k that appear in the longest Li need to be checked, 

with jfe'e [l, rff]]. 

To obtain the worst-case response time, we compute first 
its worst-case start time. When there is no jitter, George et 
al. lf22l give the following formula to compute the worst-case 
start time of a job r^fe : 



,(0) 



„(*+!) 



Bi 



B, 



(k-i)c i+ j2( 

j<i 



(7) 



Note that (k — l)Cj is the computation time of the preceding 
(k — 1) jobs. Since a lower priority task's execution cannot be 
preempted, this could "push" one job of a higher priority task 
to interfere with its future jobs. 

Observe that the iterating computation of Li in Equation (O 
is non decreasing and (when the system utilisation is no larger 
than 1) Bi + £ 3 -<=< rff ] C, <= B t + H h so the length of Li 
will not exceed Bi + Hi. 

In this paper, the worst-case execution time of the tasks are 
considered free parameters. However, Li can still be upper 
bounded by L, ; = maxj<j(Tj) + Hi. Now, we can derive 
a similar feasibility test for non preemptive scheduling as in 
Theorem |2] 



Theorem 3. A non preemptive task Ti is schedulable if . 



vh = i, . . . , r 



Ti 



3n e 



Bi + (h- l)Ci + V rijCj < niTi - J t VZ = 1 



\D e2e ) 



(8) 



i-l 



Bi + (h- l)Ci + J2 <( h ~ l ) T i +Di-Ci-Ji 



(9) 

where B I_1 (D e 2 e ) is defined as in Theorem\2\ and Bi is the 
blocking time that task Ti suffers from lower priority tasks: 

Vi,Vj > i Bi<Cj - 1 

Proof: See the sufficient part of proof in |[T9l and Theo- 
rem |2] ■ 

Term Bi is an additional free variable used to model the 
blocking time that a task suffers from lower priority tasks. It 



is possible to avoid the introduction of this additional variable 
by substituting it in the inequalities with a simple Fourier- 
Motzkin elimination. 

Like in the preemptive case, for every non preemptive 
task, this theorem builds a set of inequalities. The system 
schedulability region is the intersection of all the sets. The 
complexity of this procedure is the same as for the preemptive 
case. 

D. Distributed systems 

Until now, we have considered the parametric analysis of 
independent tasks on single processor systems, with computa- 
tion times, deadlines and jitter as free parameters. In particular, 
the equations in Theorem [2] and Theorem [3] give us a way to 
express the constraints on the system in a fully parametric 
way: all solutions to the system of Inequalities (0]l and ([H} 
are all the combinations of computations times, deadlines and 
jitters that make the single processor system schedulable. 

It is important to make one key observation. If we fix the 
computation times and the jitters of all tasks, and we leave the 
deadlines as the only free variables, the worst-case response 
time of each task can be found by minimising the deadline 
variables. As an example, consider the following task set (the 
same as in ifTTl ) to be scheduled by preemptive fixed priority 
scheduling on a single processor: 



Task 


Ci 


Ti 


A 


Pi 


n 


1 


3 


3 


3 




2 


8 


7 


2 


T~3 


4 


20 


? 


1 



We consider D3 as a parameter and set up the system of 
inequalities according to Equation ©. After reduction of the 
non-useful constraints, we obtain 

12 < As < 20 

Notice that 12 is actually the worst-case response time of T3. 

The second key observation is that a precedence constraint 
between two consecutive tasks Tj and t; + i in the same pipeline 
can be expressed as Di < J,+i. This basically means that the 
worst-case response time of task Tj should never exceed the 
jitter (i.e. worst-case start time) of task 73+1. Therefore, we 
have a way to relate tasks allocated on different processors 
that belong to the same pipeline. 

Finally, the last task in every pipeline, let us call it r„ must 
complete before the end-to-end deadline: D n < A2e- 

We are now ready use inequalities in (2) as building 
blocks for the parametric analysis of distributed systems. The 
procedure to build the final system of inequalities is as follows: 

1) For each processor, we build the system of inequalities 
©, and for every network the system of inequalities in 
(0. All these systems are independent of each other, 
because they are constraints on different tasks, so they 
use different variables. The combined system contains 
3 * N variables, where N is the total number of tasks. 

2) For every pipeline, we add the following precedence 
constraints: 



• For the first task in the pipeline, let us denote it as 
Ti, we set its jitter to 0: J% = 0. 

• For every pair of consecutive tasks, let us denote 
them as r, and Ti+i, we impose the precedence 
constraint: Di < Jj+i; 

• For the last task in the pipeline, let us denote it 
as r n , we impose that it must complete before its 
end-to-end deadline D n < Ae2e- 

Such constraints must intersect the combined system to 
produce the final system of constraints. 
To give readers an idea how the parameter space of a 
distributed system would look like, here is a very simple exam- 
ple, built with the goal of showing the general methodology 
without taking too much space. We consider a system with 
two processors (and no network), two tasks t\ and T3, and 
one pipeline consisting of two tasks, r%\ and T22. 



Pipeline 


Task 


Ki 


Resource 


Ti 


A(A 2e ) 




n 


2 


CPU1 


10 


4 


p2 


r{ 


1 


CPU1 


20 


6 


r! 


2 


CPU2 






T~3 


1 


CPU2 


16 


16 



To make sure that for each task we have one single inequality 
(see Equation (0|i) we set up the deadlines short enough so that 
one schedulability point for each task needs to be considered, 
thus avoiding complex disjoints. 

Based on the analysis in this section, we derive a set of 
constraints, where J, C and D are the free variables for the 
tasks. 

' Ji > 0,Ci > 0, C\ > 0, Cf > 0, J 3 > 0, c 3 > 

A < 4, A < 16 

Ci + Ji < A 

C21 + C\ < Aii 
' Cf + Jf <D| 

C 3 + Cf + Jf < 20 

C 3 + Cf + J 3 < A 
K Jf = 0,Dl<JlD%<6 

In the first two lines, we show the "trivial" inequalities: all 
values must be non-negative, and every deadline must not 
exceed the corresponding maximum deadline specified in the 
table. The inequalities at line 3 and 4 and the inequalities 
at line 5, 6 and 7 are (reduced) constraints (according to 
Theorem |2]i on the schedulability of tasks on processor 1 and 
2, respectively. Finally, the inequalities in the last line are the 
ones imposed by the precedence constraints between jf and 
rf. 

A real system will produce a much more complex set of 
constraints. For each task we will need to prepare a set of 
disjoint inequalities, that must be intersect with each other: 
this may greatly increment the number of inequalities to 
be considered. Also, often we need to model the network. 
Therefore, we prepared a software tool to automatically build 
and analyse the set of inequalities for a distributed system. 



E. Implementation 

The analytic method proposed in this section has been 
implemented in RTSCAN [23], a C/C++ library publicly 
available as open source code that collects different types of 
schedulability tests. The code for the parametric schedulability 
analysis uses the PPL (Parma Polyhedra Library) ll24l . a 
library specifically designed and optimised to represent and 
operate on polyhedra. The library efficiently operates on ra- 
tional numbers with arbitrary precision: therefore, in this work 
we make the assumption that all variables (computations times, 
deadlines and jitter) are defined in the domain of integers. This 
does not represent a great problem, since in practice every 
value is multiple of a real-time clock expressed as number of 
ticks. 

An evaluation of this tool, and of the complexity of the 
analysis presented here, will be presented in Section |VT] 

V. The Inverse Method approach 
A. Parametric Timed Automata 

Timed Automata are finite-state automata augmented with 
clocks, i.e., real-valued variables increasing uniformly, that are 
compared within guards and invariants with timing delays fl25ll . 
Parametric timed automata (PTAs) [26| extend timed automata 
with parameters, i.e., unknown constants, that can be used in 
guards and invariants. 

Formally, given a set X of clocks and a set P of parameters, 
a constraint C over X and P is a conjunction of linear 
inequalities on X and P. Given a parameter valuation (or 
point) 7r, we write tt \= C when the constraint where all 
parameters within C have been replaced by their value as in tt 
is satisfied by a non-empty set of clock valuations. 

Definition 1. A PTA A is (£, Q, q , X, P, K, I, ->-) with £ a 
finite set of actions, Q a finite set of locations, qo € Q the 
initial location, X a set of clocks, P a set of parameters, K 
a constraint over P, I the invariant assigning to every q £ Q 
a constraint over X and P, and — > a step relation consisting 
of elements (q,g,a,p,q'), where q,q' £ Q, a£S, p C X is 
the set of clocks to be reset, and the guard g is a constraint 
over X and P. 

The semantics of a PTA A is defined in terms of states, 
i.e., couples (q, C) where q E Q and C is a constraint 
over X and P. Given a point tt, we say that a state (q, C) 
is 7r-compatible if tt \= C. Runs are alternating sequences 
of states and actions, and traces are time-abstract runs, i.e., 
alternating sequences of locations and actions. The trace set 
of A corresponds to the traces associated with all the runs 
of A. Given A and tt, we denote by A[tt] the (non-parametric) 
timed automaton where each occurrence of a parameter has 
been replaced by its constant value as in tt. One defines 
Post\^ K ^(S) as the set of states reachable from a set S 
of states in exactly i steps under K, and Post^ K ^(S) = 

U>0 P0Si ll A(K){S). 

Detailed definitions on parametric timed automata can be 
found in, e.g., Q. 



The Inverse Method exploits the model of Timed Automata 
and the knowledge of a reference point of timing values for 
which the good behaviour of the system is known. The method 
synthesises automatically a dense zone of points around the 
reference point, for which the discrete behaviour of the system, 
that is the set of all the admissible sequences of interleaving 
events, is guaranteed to be the same. Although the principle of 
the inverse method shares similarities with sensitivity analysis, 
its algorithm proceeds by iterative state space exploration. 
Furthermore, its result comes under the form of a fully 
parametric constraint, in contrast to sensitivity analysis. By 
repeatedly applying the method, we are able to decompose the 
parameter space into a covering set of "tiles", which ensure a 
uniform behaviour of the system: it is sufficient to test only 
one point of the tile in order to know whether or not the system 
behaves correctly on the whole tile. 

B. System model with PTAs 

In this section, we show how we modelled a schedulability 
problem as defined in HID similarly to what has been done in 
(8). In the current implementation, we only model pipelines 
with end-to-end deadlines no larger than their periods. More- 
over, all pipelines are strictly periodic, and have offset. This 
means that the results of the parametric analysis produced by 
this model are only valid for periodic synchronous pipelines. 

We illustrate our model with the help of an example of 
two pipelines V 1 ,V 2 with V 1 = {ti,t 2 }, V 2 = {t 3 ,t 4 }, 
P(n) = P(n) = pi, p(t 2 ) = p(t 3 ) = p 2 , pi being a 
preemptive processor and p 2 being non-preemptive. We have 
that tt\ > 7T4 and tt 3 > tti- 

In Figure Q] we show the model of a pipeline. A pipeline is 
a sequence of tasks that are to be executed in order: when a 
task completes its instance, it instantly activates the next one 
in the pipeline. Once every task in the pipeline has completed, 
the pipeline waits for the next period to start. 
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Fig. 1. PTA modelling a pipeline V 1 with two tasks t±,T2 

In Figure [2] we present how we model a preemptive proces- 
sor. The processor can be idle, waiting for a task activations. 
As soon as a request has been received, it moves to one of the 
states where the corresponding higher priority task is running. 
If it receives another activation request, it moves to the state 
corresponding to the highest priority task running. Moreover, 
while a task executes, the scheduler automaton checks if the 
corresponding pipeline misses its deadline. In the case of a 
deadline miss, the processor moves to a special failure state 
and stops any further computation. 

In Figure [3] we present the model a non-preemptive pro- 
cessor. Similarly to the previous case, the processor can be 




Fig. 2. PTA modelling a preemptive processor with two tasks t\ , T4 



idle, waiting for an activation request. As soon as a request 
as been received it moves to a corresponding state, setting 
a token corresponding to the activated task to 1. If another 
request is sent at the same time, it sets a corresponding token 
to 1, and moves to the state where the highest priority task 
will be running. Once a task is completed, the processor set 
the corresponding token to 0, and according to the token set 
to 1, moves to the state where the highest priority task will be 
running. Similarly to the previous case, while a task executes, 
the automaton checks for deadline misses, and in that case it 
stops any further computation by moving to a special failure 
state. 
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T2 activation 
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Fig. 3. PTA modelling a non-preemptive processor with two tasks T2,t% 

Since we model periodic pipelines, and the model explores 
all possible traces, we expect that schedulability region will 
be larger that the one obtained with other techniques which 
only consider sporadic pipelines (like the analysis proposed in 
Section IIVI ). An assessment of this difference is provided in 
the next section. 



Pipeline/Task 


T 


D e 2e 


Tasks 


c 


71" 


V 


n 


20 


20 




free 


9 


1 








l 

t{ 


free 


3 


1 








1 

T 2 


10 


9 


2 


P 1 


150 


150 




8 


5 


3 








: 


15 


2 


2 








4 


25 


2 


1 


T2 


30 


30 




6 


9 


3 


T3 


200 


200 




40 


2 


3 



TABLE I 

Test Case 1 : one pipeline with deadline equal to period. 



VI. Evaluation 

We evaluated the effectiveness and the running time of 
three different tools for parametric schedulability analysis: 
the RTSCAN tool, which implements the analytic method 
described in Section |IVl the IMITATOR tool QD, described 
in Section [Vj and the MAST tool iflOt 

We highlight that the three tools are implemented in differ- 
ent languages, and use different ways to optimise the analysis; 
RTSCAN is implemented in C/C++ and uses on the PPL 
library; IMITATOR is implemented in OCaml, but it also 
used the PPL libraries for building regions; finally, MAST 
is implemented in Ada. 

For MAST, we have selected the "Offset Based analysis", 
proposed in [13|. For IMITATOR, we consider all pipelines 
as strictly periodic, and only deadlines less than periods. We 
evaluated the tools on two different test cases, in increasing 
order of complexity. We will first present the results, in 
terms of schedulability regions, for two different test cases. In 
order to simplify the visualisation of the results, for each test 
case, we will present the 2D region of two parameters only: 
however, all three methods are general and can be applied to 
any number of parameters. 

In Section lVI-CI after discussing some important implemen- 
tation details, we will and present the execution times of the 
three tools. 

A. Test case 1 

The first test case has been adapted from ifPJl (we reduced 
the computation times of some tasks to position the system in 
a interesting schedulability region). It consists of 2 processors, 
connected by a CAN bus, three simple periodic tasks and 
one pipeline. The parameters are listed in Table [Q Processor 
1 and 3 model two different computational nodes that are 
scheduled by preemptive fixed priority, and Processor 2 models 
a CAN bus with non-preemptive fixed priority policy. The 
only pipeline models a remote procedure call from CPU 1 to 
CPU 3. All tasks have deadlines equal to periods, and also 
the pipeline has end-to-end deadline equal to its period. Only 
two messages are sent on the network, and if the pipeline is 
schedulable, they cannot interfere with each other. We wish to 
perform parametric schedulability analysis with respect to C\ 
and C\. 

The resulting regions of schedulability from the tools 
RTSCAN and MAST are reported in Figure g] whereas the 




Fig. 4. Schedulability regions for test case 1, produced by RTSCAN (hatched 
pattern) and MAST (filled pattern) 



region produced by IMITATOR is reported in Figure |5]in green 
(the non schedulable region is also painted in red). The small 
white triangles are regions which do not contain any integer 
point, and have not been explored by the IMITATOR tool. 

In this particular test, RTSCAN dominates MAST. After 
some debugging, we discovered that the analysis algorithm 
currently implemented in MAST does not consider the fact that 
the two messages t\ and t\ cannot interfere with each other, 
and instead considers a non-null blocking time on the network. 
This is probably a small bug in the MAST implementation that 
we hope will be solved in a future version. 

Also, as expected, the region computed by IMITATOR dom- 
inates the other two tools includes the other two regions. The 
reason is in the different model of computation: IMITATOR 
considers fully periodic and synchronous pipelines, therefore it 
produces all possible traces that can be generated in this case. 
Both RTSCAN and MAST, instead, compute upper bounds on 
the interference that a task can suffer from higher priority task 
and from blocking time of lower priority tasks. Therefore, they 
can only provide a sufficient analysis. 
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Fig. 5. Schedulability regions for test case 1, produced by IMITATOR (green 
(lower) region) 
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TABLE II 

Test Case 2: two pipelines on 3 processors 
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Fig. 6. Schedulability regions for test case 2a, produced by RTSCAN 
(hatched) and MAST (filled) 



B. Test case 2 

The second test case is taken from |[T6l . It consists of two 
pipelines on 3 processors (with id 1, 3 and 4) and one network 
(with id 2). We actually consider two versions of this test case: 
in the first version (a) pipeline P 1 is periodic with period 
200msec and end-to-end deadline equal to the period. In the 
second version (b), the period of the first pipeline is reduced 
to 30msec (as in the original specification in [16|). The full 
set of parameters is reported in Table |II] where all values are 
expressed in microseconds. We perform parametric analysis 
on Cl and C\. 

For version (a) we run all tools and we report the regions 
of schedulability in Figure for RTSCAN and MAST. In 
this case, MAST dominated RTSCAN. The reason is due to 
the offset based analysis methodology used in MAST, which 
reduces the interference on one task from other tasks belonging 
to the same pipeline. RTSCAN does not implement such an 
optimisation (it will be the topic of future extensions) and 
hence it is more pessimistic. 

The results from IMITATOR are shown in Figure [7] Again, 
the region produced by IMITATOR dominates the one pro- 
duced by the other two tools. 

For version (b) we run only RTSCAN and MAST, because 
in the current version of IMITATOR we can only model 
constrained deadline systems. The results for version (b) are 
reported in Figure [8] In this case, MAST dominates RTSCAN. 



Again, this is probably due to the fact that MAST implements 
the offset-based analysis. 

C. Execution times 

Before looking at the execution times of the three tools 
in the three different test cases, it is worth to discuss some 
detail about their implementation. First of all, all the three 
tools are single threaded, therefore we did not use any kind of 
parallelisation technique in order to have a fair comparison. 
The RTSCAN tool uses the technique described in Section HVl 
and as a result it produces a disjunction of convex regions, each 
one corresponds to a set of inequalities in AND. Typically, the 
number of convex regions produced by the tool is relatively 
small. Also, there is no need to "explore" the space of 
feasible points, as these regions are naturally obtained from 
the problem constraints. 

IMITATOR also produces a disjunction of convex regions. 
However, these regions are typically smaller and disjoints. 
Moreover, to produce a region, IMITATOR needs to start 
from a candidate point on which to perform a sensitivity 
analysis. More specifically, it works as follows: 1) it starts 
from a random point (typically the centre of the interval) 
and computes a region around it. Then, it searches for the 
next candidate point outside of the already found regions. The 
key factor here is how this search is performed. Currently, 
IMITATOR search for a candidate point in the neighbourhood 
of the current region. This is a very general strategy that 
works for any kind of PTA. However, the particular structure 
of schedulability problems would probably require an ad-hoc 
exploration algorithm. 

MAST can perform schedulability analysis given a full 
set of parameter values, and it returns either a positive or a 
negative response. In addition, MAST can perform sensitivity 
analysis on one parameter (called slack computation in the 
tool), using binary search on a possible interval of values. This 
latter strategy can be used to implement parametric analysis: 
we select a interval of values for each free parameter that we 
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Fig. 7. Schedulability regions for test case 2a, produced by IMITATOR 
(green region) 



Fig. 8. Schedulability regions for test case 2b, produced by RTSCAN (grey 
filled) and MAST (red filled) 



wish to analyse. Then, we perform a cycle on all values of 
one parameter (with a predefined step) and we ask MAST to 
compute the interval of feasible values for the other parameter. 

This may not be the smartest way to proceed: it is possible, 
for example, to implement binary search on the full 2D space 
of free parameters to accelerate the execution time of the tool. 
We defer the implementation of such an algorithm as a future 
extension. 

All experiments have been performed onto a PC with 8Gb 
of RAM, an Intel Core 17 quad-core processor, working at 800 
Mhz per processor. 

We are now ready to present and discuss the execution times 
of the tools in the three test cases, which are reported in Table 
inil together with the length of the hyperperiod for the test 
cases. As you can see, for small problems RTSCAN performs 
very well. In test case 2b, the execution time of RTSCAN is 
much larger than the one obtained from test case 2a. This is 
due to the fact that in test case 2b, one pipeline has end-to- 
end deadline greater than the period, and therefore RTSCAN 
needs to compute many more inequalities (for all points in the 
hyperperiod). 

As for MAST, in test cases 2a and 2b (where the time 
units are expressed in microseconds, and therefore are quite 
large), the search has been run with a step of 100 for a good 
compromise between precision and execution time. However, 
we believe that a smarter algorithm for exploring the space of 
parameters can really improve the overall execution time. 

Finally, IMITATOR greatly suffers from a similar problem. 
We observed that the tool spends a few seconds for computing 
the schedulability region around each point. However, the re- 
gions are quite small, and there are many of them: for example, 
in test case 2a IMITATOR analysed 257 regions. Also, it 
spends a large amount of time in searching for neighbourhood 
points. Therefore, we believe that a huge improvement in the 
computation time of IMITATOR can be achieved by coming 
up with a smarter way of exploring the schedulability space. 
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TABLE III 

Execution times of the tools in the three test cases 



VII. Conclusions and Future Works 

In this paper we presented two different approaches to per- 
form parametric analysis of distributed real-time systems : one 
based on analytic methods of classic schedulability analysis; 
the other one based on model checking of PTA. We compared 
the two approached with classical holistic analysis. 

The results are promising, and we plan to extend this work 
along different directions. Regarding the analytic method, we 
want to enhance the analysis including static and dynamic 
offsets, following the approach of |[T3l . Also, in the future 
we will to extend the model to consider mutually exclusive 
semaphores and multiprocessor scheduling. 

Regarding IMITATOR, we plan to improve the algorithm 
to explore the space of parameters: one promising idea is to 
use the analytic method to find an initial approximation of the 
feasible space, and then extend the border of the space using 
PTAs. We also plan to collaborate with the team at Universidad 
de Cantabria that develops the MAST tool on novel algorithms 
for exploring an N-dimensions parameter space. 
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